[PATCH] NETWORKING: avoid use IPCB in cipso_v4_error
paul at paul-moore.com
Fri Feb 15 20:04:23 UTC 2019
On Fri, Feb 15, 2019 at 3:00 PM David Miller <davem at davemloft.net> wrote:
> From: Paul Moore <paul at paul-moore.com>
> Date: Fri, 15 Feb 2019 14:02:31 -0500
> > On Thu, Feb 14, 2019 at 11:43 AM David Miller <davem at davemloft.net> wrote:
> >> From: Nazarov Sergey <s-nazarov at yandex.ru>
> >> Date: Tue, 12 Feb 2019 18:10:03 +0300
> >> > Since cipso_v4_error might be called from different network stack layers, we can't safely use icmp_send there.
> >> > icmp_send copies IP options with ip_option_echo, which uses IPCB to take access to IP header compiled data.
> >> > But after commit 971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses"), IPCB can't be used
> >> > above IP layer.
> >> > This patch fixes the problem by creating in cipso_v4_error a local copy of compiled IP options and using it with
> >> > introduced __icmp_send function. This looks some overloaded, but in quite rare error conditions only.
> >> >
> >> > The original discussion is here:
> >> > https://firstname.lastname@example.org/
> >> >
> >> > Signed-off-by: Sergey Nazarov <s-nazarov at yandex.ru>
> >> This problem is not unique to Cipso, net/atm/clip.c's error handler
> >> has the same exact issue.
> >> I didn't scan more of the tree, there are probably a couple more
> >> locations as well.
> > David, are you happy with Sergey's solution as a fix for this?
> > If so, would you prefer a respin of this patch to apply the to the
> > other broken callers (e.g. net/atm/clip.c), or would you rather merge
> > this patch and deal with the other callers in separate patches?
> I'd like the other broken callers to be handled.
Sergey, do you think you could fix the other callers too, or do you
want some help with that?
More information about the Linux-security-module-archive